Abbott Laboratories : Cyber Insurance Becomes a Must for More Manufacturers

04/17/2017 | 11:14 am

By Richard Teitelbaum

Abbott Laboratories was pilloried last week by regulators for, in part, botching its response to a report that certain company defibrillators and pacemakers could be manipulated by hackers. Shares of the health-care giant, which acquired the devices in its purchase of St. Jude Medical Inc., fell 1.9%.

The criticism, which came in a warning letter from the U.S. Food and Drug Administration, casts another spotlight on the fusillade of cyber dangers facing manufacturers.

For years cyber insurance was overwhelmingly purchased by consumer-facing business -- retailers, financial-service providers and hospitals. Mostly this was to protect against customer data theft. The St. Jude situation helps explain why manufacturers are now rushing to make sure they are covered.

Manufacturers paid $36.9 million in premiums for cyber-specific policies in 2016, according to Advisen Ltd., an insurance consulting firm, based on its sample of over 9,000 mostly U.S. companies. That is up 89% from the year before. Manufacturers accounted for 12.6% premiums tracked in 2016 compared with 9% the year before.

"There's certainly an increased exposure in the industry overall, especially with more reliance on cloud providers, greater sophistication of hackers globally and increased consumer interactions through social media," said Daniel Steiner, enterprise risk manager at Kimberly-Clark Corp., the maker of Kleenex tissues and Huggies diapers. The company began buying cyber insurance in 2009.

Factories are increasingly computerized, automated and digitally integrated with other parts of a company and keeping those networks secure is critical. "It's hard to think of an area of our business that is not touched by this, as business is only becoming more connected," said Eric Dobkin, director of insurance and risk management at drugmaker Merck & Co. in an email.

"Nobody should be able to look at themselves in the mirror and say 'I'm not exposed to this'," said Robert Wice, leader for technology, media and business services of Beazley PLC in the U.S. "It should be top of mind."

As for St. Jude, a company spokeswoman declined to say whether it carried cyber insurance to cover the cardiac devices. A 2016 filing said it did not carry product liability insurance. An Abbott spokesman declined to comment on whether the company has cyber insurance.

In the event of a cyberattack that shuts down a factory, manufacturers may not be covered by existing policies. Many property and casualty, or P&C, policies require physical damage before they pay, explained Ben Beeson, cyberrisk practice leader at brokerage Lockton Cos.

A wake-up call for manufacturers came in December 2014 when the German Federal Office for Information Security reported that a cyberattack caused "massive damage" at a steel plant it didn't name.The report highlighted how cyberattacks can be more destructive than prosaic events like floods that are covered by typical P&C policies.

"When you look at severity, you have to consider they are cyber-based," said Brent Pickens, director of global risk management at Bemis Co. Inc., a maker of plastic packaging that was an early buyer of cyber insurance.

Selecting a cyberpolicy forces manufacturers to set priorities on what to protect, he said, particularly at larger companies that can have policies tailored for different plants and situations. "You get the best return out of [insuring] what is most important for you," Mr. Pickens added.

The market for manufacturers is young, therefore premiums vary greatly and are based on revenue, specific lines of business, and the number of records involved. Premiums range from $10,000 to $15,000 for every $1 million of comprehensive coverage for manufacturers with $1 billion or more in revenue, said Michael Blake, part of the cybersecurity practice at Alliant Insurance Services Inc. That is about half of what retailers and banks pay.

"It's not a difficult sell," said Mr. Blake."There is not a risk manager out there who wants to walk into a board meeting to explain why he didn't think to get a cyber insurance quote, especially since it's so cheap."